Deprecate saml2 frontend sign_alg and digest_alg configuration options

sign_alg and digest_alg are deprecated; instead, use signing_algorithm
and digest_algorithm configurations under the service/idp configuration
path (not under policy/default)

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/satosa/frontends/saml2.py

@@ -377,18 +377,18 @@ def _handle_authn_response(self, context, internal_response, idp):
         # Construct arguments for method create_authn_response
         # on IdP Server instance
         args = {
-            'identity'      : ava,
-            'name_id'       : name_id,
-            'authn'         : auth_info,
-            'sign_response' : sign_response,
+            # Add the SP details
+            **resp_args,
+            # AuthnResponse data
+            'identity': ava,
+            'name_id': name_id,
+            'authn': auth_info,
+            'sign_response': sign_response,
             'sign_assertion': sign_assertion,
             'encrypt_assertion': encrypt_assertion,
-            'encrypted_advice_attributes': encrypted_advice_attributes
+            'encrypted_advice_attributes': encrypted_advice_attributes,
         }
 
-        # Add the SP details
-        args.update(**resp_args)
-
         try:
             args['sign_alg'] = getattr(xmldsig, sign_alg)
         except AttributeError as e:
@@ -413,6 +413,16 @@ def _handle_authn_response(self, context, internal_response, idp):
             logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
             logger.debug(logline)
 
+        if 'sign_alg' in args or 'digest_alg' in args:
+            msg = (
+                "sign_alg and digest_alg are deprecated; "
+                "instead, use signing_algorithm and digest_algorithm "
+                "under the service/idp configuration path "
+                "(not under policy/default)."
+            )
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.warning(msg)
+
         resp = idp.create_authn_response(**args)
         http_args = idp.apply_binding(
             resp_args["binding"], str(resp), resp_args["destination"],